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Abstract 


The  use  of  learning  to  automate  assume-guarantee  style  reasoning  has  received  a  lot  of 
attention  in  recent  years.  This  paradigm  has  already  been  used  successfully  for  checking 
trace  containment,  as  well  as  simulation  between  concurrent  systems  and  their  specifications. 
In  this  report,  the  learning-based  automated  assume-guarantee  paradigm  is  extended  to 
perform  compositional  deadlock  detection.  Failure  automata  is  defined  as  a  generalization  of 
finite  automata  that  accept  regular  failure  sets.  A  learning  algorithm  is  developed  that 
constructs  the  minimal  deterministic  failure  automaton  accepting  any  unknown  regular 
failure  set  using  a  minimally  adequate  teacher.  This  report  shows  how  can  be  used  for 
compositional  regular  failure  language  containment  and  deadlock  detection,  using 
non-circular  and  circular  assume-guarantee  rules.  Finally,  an  implementation  of  techniques 
and  encouraging  experimental  results  on  several  nontrivial  benchmarks  are  presented. 
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1  Introduction 


Ensuring  deadlock  freedom  is  one  of  the  most  critical  requirements  in  the  design  and 
validation  of  systems.  The  biggest  challenge  toward  the  development  of  effective  deadlock 
detection  schemes  remains  the  statespace  explosion  problem.  Compositional 
reasoning  [de  Roever  98,  McMillan  97,  Grumberg  94]  is  recognized  to  be  one  of  the  most 
promising  approaches  for  alleviating  statespace  explosion.  This  report  presents  an  automated 
compositional  deadlock  detection  procedure  based  on  assume-guarantee  (AG)  [Pnueli  85] 
reasoning. 

AG  reasoning  revolves  around  a  proof  rule  that  relates  system  components  and  assumptions 
about  them  to  global  system  properties.  Typically,  to  apply  the  proof  rule,  you  need  to 
construct  manually  appropriate  assumptions  that  can  discharge  the  premises  of  the  rule.  In 
most  realistic  situations,  suitable  assumptions  are  complicated.  The  absence  of  automated 
assumption-generation  techniques  has  held  back  the  wider  practical  adoption  of  AG 
reasoning. 

An  important  breakthrough  has  been  the  use  of  learning  algorithms  for  assumption 
construction  [Cobleigh  03].  The  general  idea  is  to  learn  an  automaton  corresponding  to  the 
weakest  assumption  [Giannakopoulou  02]  that  can  discharge  the  AG  premises.  The  learning 
process  is  embedded  in  the  overall  verification  procedure  in  a  way  that  guarantees 
termination  with  the  correct  result.  The  choice  of  the  learning  algorithm  is  dictated  by  the 
kind  of  automaton  that  can  represent  the  weakest  assumption,  which  in  turn  depends  on  the 
verification  goal.  For  example,  in  the  case  of  trace  containment  [Gobleigh  03],  the  weakest 
assumptions  are  naturally  represented  as  deterministic  finite  automata,  and  this  leads  to  the 
use  of  the  L*  learning  algorithm  [Angluin  87].  Similarly,  in  the  case  of  simulation  [Ghaki  05a], 
the  corresponding  choices  are  deterministic  tree  automata  and  the  learning  algorithm. 

Nonetheless,  neither  learning  algorithm  is  appropriate  for  deadlock  detection.  Word  and  tree 
automata  are  unable  to  capture  failures  [Hoare  85],  a  critical  concept  for  understanding  and 
detecting  deadlocks.  While  you  can  transform  any  deadlock  detection  problem  to  an  ordinary 
trace  containment,  such  schemes  invariably  introduce  new  components  and  an  exponential 
number  of  actions.  As  a  result,  these  strategies  are  not  scalable.  Our  work  started  with  a 
search  for  an  appropriate  automata-theoretic  formalism  that  can  handle  failures  directly.  Our 
deadlock  detection  algorithm  uses  learning-based  automated  AG  reasoning  and  does  not 
require  additional  actions  or  components. 

Two  key  parts  of  our  solution  are:  (1)  a  new  type  of  acceptors  for  regular  failure  languages 
(RFLs)  with  a  non-standard  accepting  condition  and  (2)  a  notion  of  parallel  composition 
between  these  acceptors  that  is  consistent  with  the  parallel  composition  of  the  languages  they 
accept.  Our  accepting  condition  is  novel  and  employs  a  notion  of  maximality  that  crucially 
avoids  introducing  an  exponential  number  of  new  actions.  To  the  best  of  our  knowledge,  such 
acceptors  and  their  composition  have  not  been  discussed  before.  In  addition,  we  believe  that 
this  report  presents  the  first  use  of  learning  in  the  context  of  automated  AG  reasoning  for 
deadlock  detection. 

In  Section  2,  we  present  the  theory  of  regular  failure  languages  which  are  downward  elosed 
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and  define  failure  automata  that  exactly  accept  the  set  of  regular  failure  languages.  Although 
RFLs  are  closed  under  union  and  intersection  but  not  under  complementation,  which  is  an 
acceptable  tradeoff  for  the  use  of  maximality.  Further,  we  show  a  Myhill-Nerode-like  theorem 
for  RFLs  and  failure  automata. 

We  show,  in  Section  3,  that  the  failure  language  of  a  labeled  transition  system  (LTS)  M  is 
regular  and  checking  deadlock  freedom  for  M  is  a  particular  instance  of  the  problem  of 
checking  RFL  containment.  Then,  we  present  an  algorithm  for  checking  containment  of 
RFLs.  We  cannot  check  containment  between  failure  languages  Li  and  L2  by  complementing 
L2  and  intersecting  with  Li,  since  (as  we  noted  above)  RFLs  are  not  closed  under 
complement  ation . 

In  Section  4,  we  present  a  sound  and  complete  non-circular  AG  rule,  AG-NC,  on  failure 
languages  for  checking  failure  language  specifications.  Given  failure  languages  Li  and  Ls-,  we 
define  the  weakest  assumption  failure  language  Lw'-  for  every  La  such  that  Li  ||  La  T  Ls-, 

La  T  Lw-  We  then  show  constructively  that  if  failure  languages  Li  and  L2  are  regular,  then 
Lw  uniquely  exists,  is  regular,  and  is  accepted  by  a  minimum  failure  automaton  Aw- 

Section  5  details  the  development  of  an  algorithm  L^  to  learn  the  minimum  deterministic 
failure  automaton  that  accepts  an  unknown  regular  failure  language  U  using  a  minimally 
adequate  teacher  that  can  answer  membership  and  candidate  queries  pertaining  to  U -  We 
show  how  the  teacher  can  be  implemented  using  the  RFL  containment  algorithm  mentioned 
above. 

In  Section  6,  we  develop  an  automated  and  compositional  deadlock  detection  algorithm  that 
employs  AG-NC  and  L^ - 

Section  7  defines  a  circular  AG  proof  rule  AG-Circ  for  deadlock  detection  and  shows  how  to 
use  it  for  automated  and  compositional  deadlock  detection. 

As  we  show  in  Section  8,  we  have  implemented  our  approach  in  the  ComFoRT  [Ghaki  05b] 
reasoning  framework.  We  present  encouraging  results  on  several  nontrivial  benchmarks, 
including  an  embedded  OS  and  Linux  device  drivers. 

Finally,  Section  9  summarizes  our  conclusions. 
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2  Related  Work 


Machine-learning  techniques  have  been  used  in  several  contexts  related  to  verification 
[Peled  99,  Groce  02,  Alur  05a,  Habermehl  05,  Ernst  99].  We  follow  the  approach  of  Cobleigh, 
Giannakopoulou,  and  Pasareanu  [Gobleigh  03]  (respectively  Ghaki  and 
colleagues  [Ghaki  05a])  to  automate  assume-guarantee  reasoning  for  trace-containment  (or 
simulation)  between  finite  state  systems.^  However,  we  apply  this  general  paradigm  for 
deadlock  detection.  This  algorithm  may  also  be  of  independent  interest.  Rivest  and 
Schapire  proposed  an  improvement  to  Angluin’s  L*  that  substantially  improves  its 
complexity  [Rivest  93].  has  the  same  spirit  as  this  improved  version  of  L* .  The  use  of 
circular  AG  rules  was  also  investigated  in  the  context  of  trace  containment  by  Barringer, 
Giannakopoulou,  and  Pasareanu  [Barringer  03]. 

Overkamp  explored  the  synthesis  of  supervisory  controller  for  discrete-event 
systems  [Overkamp  97]  based  on  failure  semantics  [Hoare  85].  His  notion  of  the  least 
restrictive  supervisor  that  guarantees  deadlock-free  behavior  is  similar  to  the  weakest  failure 
assumption  in  our  case.  However,  our  approach  differs  as  follows:  (1)  We  use  failure 
automata  to  represent  failure  traces;  (2)  We  use  learning  to  compute  the  weakest  failure 
assumption  automatically;  and  (3)  Our  focus  is  on  checking  deadlocks  in  software  modules. 
Williams,  Thies  and  Ernst  investigated  an  approach  based  on  static  analysis  for  detecting 
deadlocks  that  incorrect  lock  manipulation  by  Java  programming  language  libraries  can 
cause  [Williams  05]  ?  The  problem  of  detecting  deadlocks  for  pushdown  programs 
communicating  only  via  nested  locking  has  been  investigated  by  Kahlon,  Ivancic  and 
Gupta  [Kahlon  05].  In  contrast,  we  present  a  model-checking-based  framework  to 
compositionally  verify  deadlock  freedom  for  non-recursive  programs  with  arbitrary  lock-based 
or  rendezvous  communication.  Other  non-compositional  techniques  for  detecting  deadlock 
have  been  investigated  in  context  of  partial-order  reduction  [Holzmann  03]  and  for  checking 
refinement  of  GGS  processes  using  a  notion  called  stuck-free  conformance  that’s  more 
discriminative  than  failure  trace  refinement  [Eournet  04]. 

Brookes  and  Roscoe  use  the  failure  model  to  show  the  absence  of  deadlock  in  undirectional 
networks  [Brookes  91].  They  also  generalize  the  approach  to  the  class  of  conflict-free 
networks  via  decomposition  and  local  deadlock  analysis.  In  contrast,  we  provide  a  completely 
automated  framework  for  detecting  deadlocks  in  arbitrary  networks  of  asynchronous  systems 
using  rendezvous  communication.  Our  formalism  is  based  on  an  automata-theoretic 
representation  of  failure  traces.  Moreover,  to  analyze  the  deadlock  freedom  of  a  set  of 
concurrent  programs  compositionally,  we  use  both  circular  and  non-circular 
assume-guarantee  rules  [Pnueli  85,  de  Roever  98,  Barringer  03].  Amla  and  colleagues  have 
presented  a  sound  and  complete  assume-guarantee  method  in  the  context  of  an  abstract 
process  composition  framework  [Amla  03].  However,  they  do  not  discuss  deadlock  detection 
or  explore  the  use  of  learning. 


^  Alur,  Madhusudan,  and  Nam  have  also  investigated  symbolic  learning  in  this  context  [Alur  05b]. 
^  Williams,  Thies  and  Ernst  also  also  provide  an  excellent  survey  of  related  research  [Williams  05]. 
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3  Failure  Languages  and  Automata 


In  this  section,  we  present  the  theory  of  failure  languages  and  failure  automata.  We  consider 
a  subclass  of  regular  failure  languages  and  provide  a  lemma  relating  regular  failure  languages 
(RFLs)  and  failure  automata  (FLA),  analogous  to  Myhill-Nerode  theorem  for  ordinary 
regular  languages.  We  begin  with  a  few  standard  definitions  [Roscoe  97]. 


Definition  1  (Labeled  Transition  System)  A  labeled  transition  system  (LTS)  is  a 
quadruple  {S,  Init,T,,S)  where:  (i)  S  is  a  set  of  states,  (ii)  Init  C  S  is  a  set  of  initial  states, 
(in)  T,  is  a  set  of  actions  (alphabet),  and  (iv)  S  C  S  x  T,  x  S  is  a  transition  relation. 


We  only  consider  LTSs  such  that  both  S  and  S  are  finite.  We  write  s  s'  to  mean 
(s,  a,  s')  G  6.  A  trace  is  any  finite  (possibly  empty)  sequence  of  actions,  that  is,  the  set  of  all 
traces  is  S*.  We  denote  an  empty  trace  by  e,  a  singleton  trace  (a)  by  a,  and  the 
concatenation  of  two  traces  ti  and  t2  by  ti  •  t2-  For  any  LTS  M  =  (5,  Init,  S,  S),  we  define 
the  function  5  :  2'®'  x  S*  ^  2'®'  as  follows: 


d{X,  e)=X 


and  (1(X,  t  •  a)  =  |s'|3s  G  (5(X,  t)  .  s 


M  is  said  to  be  deterministic  if  \Init\  =  1  and  Ms  G  S .  Vo  G  S  .  |(5({s}  ,  a)]  <  1  and  complete 
if  Vs  G  5  .  Vo  G  S  .  |5({s}  ,  a)|  >  1.  Thus  if  M  is  both  deterministic  and  complete  then 
\Init\  =  1  and  Vs  G  5 .  Vt  G  X*  .  |(l({s}  ,  t)|  =  1.  In  this  case,  we  write  5{s,  t)  to  mean  the  only 
element  of  (5({s}  ,  t). 


Definition  2  (Finite  Automaton)  A  finite  automaton  is  a  pair  {M,  F)  such  that 
M  =  {S,  Init,  X,  S)  is  an  LTS  and  F  C  S  is  a  set  of  final  states. 


Let  G  =  (M,  F)  be  a  finite  automaton.  Then,  G  is  said  to  be  deterministic  (complete)  iff  the 
underlying  LTS  M  is  deterministic  (complete). 


Definition  3  (Refusal)  Let  M  =  {S,  Init,T,,  6)  be  an  LTS  and  s  G  S  be  any  state  of  M. 

We  say  that  s  refuses  an  action  a  iff  ^ s'  G  S .  {s,  a,  s')  0  S.  We  say  that  s  refuses  a  set  of 
actions  R  and  denote  this  by  Ref{s,R),  iff  s  refuses  every  element  of  R.  Note  that  the 
following  holds:  (i)\/.s.Ref{s,(l>)  and(ii)\/s,R,R'.Ref{s,R)AR'<GR  Ref{s,R!)  (i.e., 
refusals  are  downward-closedj. 


Definition  4  (Failure)  Let  M  =  {S,  Init,Ti,  5)  be  an  LTS.  A  pair  {t,R)  G  X*  x  2^  is  said 
to  be  a  failure  of  M  iff  there  exists  some  s  G  S{Init,t)  such  that  Ref{s,R).  The  set  of  all 
failures  of  an  LTS  M  is  denoted  by  F{M). 


Note  that  a  failure  consists  of  both  a  trace  and  a  refusal  set.  A  (possibly  infinite)  set  of 
failures  L  is  said  to  be  a  failure  language.  Let  us  denote  2^  by  X.  Note  that  L  C  X*  x  X. 
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Figure  1:  (a)  LTS  M  onYi  =  {a,  b,  c},  (b)  its  FLA,  and  (c)  its  deterministic  FLA.  All  states 

of  FLAs  are  accepting. 


The  union  and  intersection  of  failure  languages  are  defined  in  the  usual  way.  The 
complement  of  L,  denoted  by  L,  is  defined  to  be  (S*  x  Y)\  L.  A  failure  language  is  said  to 
be  downward-closed  iff  the  following  holds: 

yteY*  .yReY.{t,R)  e  L  Vi?'  c  R.  {t, R')  e  L 

In  general,  failure  languages  may  not  be  downward  closed;  however,  we  will  show  later  that 
failure  languages  generated  from  LTSs  are  always  downward  closed  because  the  refusal  sets  at 
each  state  of  an  LTS  are  downward  closed.  In  this  report,  we  focus  on  downward-closed 
failure  languages,  in  particular,  regular  failure  languages. 

Definition  5  (Deadlock)  An  LTS  M  is  said  to  deadlock  iff  J-{M)  n  (S*  x  {S})  0.  In 

other  words,  M  deadlocks  iff  it  has  a  reachable  state  that  refuses  every  action  in  its  alphabet. 

Let  us  denote  the  failure  language  S*  x  {S}  by  Ljoik.  Then,  it  follows  that  M  is  deadlock 
free  iff  R{M)  C  Loik- 

Maximality.  Let  P  be  any  subset  of  S.  The  set  of  maximal  elements  of  P  is  denoted  by 
Max{P)  and  defined  as  follows:  Max{P)  =  {R  e  P  \  Vii'  e  P .  R  R'}. 

For  example,  if  P  =  {{a},  {b},  {a,  b},  {a,  c}},  then  Max{P)  =  {{a,  6},  {a,  c}}.  A  subset  P  of 
S  is  said  to  be  maximal  iff  it  is  non-empty  and  Max{P)  =  P.  Intuitively,  failure  automata 
are  finite  automata  whose  final  states  are  labeled  with  maximal  refusal  sets.  Thus,  a  failure 
(t,  R)  is  accepted  by  a  failure  automaton  M  iff  upon  receiving  input  t,  M  reaches  a  final  state 
labeled  with  a  refusal  R'  such  that  R  C  R'.  With  the  concept  of  maximality,  we  use  only  the 
upper  bounds  of  a  set  (according  to  subset  partial  order)  to  represent  the  complete  set  and 
thereby  concisely  represent  downward-closed  failed  languages. 


Definition  6  (Failure  Automaton)  A  failure  automaton  (FLA)  is  a  triple  {M,F,ff)  such 
that  M  =  {S,  Init,  S,  (5)  is  an  LTS,  F  C  S  is  a  set  of  final  states,  and  p  :  F  ^  2^  is  a 
mapping  from  the  final  states  to  2^  such  that:  Vs  G  F .  //(s)  /  0  A  g{s)  =  M ax{p,{s)) . 
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Let  A  =  (M,  F,  n)  be  a  FLA.  Then  A  is  said  to  be  deterministic  (respectively  complete)  iff 
the  underlying  LTS  M  is  deterministic  (respectively  complete).  Part  (a)  of  Figure  1  shows  an 
LTS  over  S={a,  6,  c}.  Parts  (b)  and  (c)  show  the  corresponding  FLA  and  its  deterministic 
version,  respectively. 


Definition  7  (Language  of  an  FLA)  Let  A  =  (M,  F,  n)  he  an  FLA  sueh  that 
M  =  {S,  I  nit,  S,  S).  Then,  a  failure  {t,  R)  is  aeeepted  by  A  iff  the  following  holds: 

3s  G  F .  3R'  G  p,{s) .  s  G  S{Init,  t)  A  R  Q  R' 

The  language  of  A,  denoted  by  C{A),  is  the  set  of  all  failures  aeeepted  by  A. 


Every  deterministic  FLA  (DFLA)  A  can  be  extended  to  a  complete  DFLA  A'  such  that 
C{A')  =  C{A)  by  adding  a  non-final  sink  state.  In  the  rest  of  this  report,  we  consider  FLA 
and  languages  over  a  fixed  alphabet 

Lemma  1  A  language  is  aeeepted  by  an  FLA  iff  it  is  aeeepted  by  a  deterministie  FLA,  that 
is,  deterministie  FLA  have  the  same  aeeepting  power  as  FLA  in  general. 

Proof.  By  subset  construction.  Let  L  be  a  language  accepted  by  some  FLA  A  =  (M,  F,  fi). 
We  construct  a  deterministic  FLA  A'  =  {M' ,  F' ,  p!)  as  follows:  The  deterministic  finite 
automaton  G'  =  {M' ,  F')  is  obtained  by  the  standard  subset  construction  from  the  finite 
automaton  G  =  {M,F).  For  any  state  s'  of  M' ,  let  us  denote  'I'(s')  as  the  set  of  states  of  M 
from  which  s'  was  derived  by  the  subset  construction.  To  define  p' ,  consider  any  final  state 
s'  G  F' .  We  know  that  'I'(s')  n  F  /  0.  Let  P  =  Use’i'(s')nF  Then  p'{s')  =  Max{P). 

Let  Init  and  Init'  be  the  initial  states  of  M  and  M',  respectively.  Now,  to  show  that 
C{A')  =  L,  consider  any  failure  {t,R).  Then 

{t,  R)  G  F(A')  3s'  G  5 {I nit' ,  t)  n  F' .  3F'  G  p  {s')  .  R  F  R' 

3s'  G  5 {I nit' ,  t)  n  F'  .  3s  G  'I'(sO  ^  ■  ^F'  G  p{s)  .  R  F  R' 

3s  G  6{Init,  t)  D  F  .  3R'  G  p{s)  .  R  F  R'  {t,  R)  G  C{A)  =  L 


Regular  Failure  Languages  (RFLs).  A  failure  language  is  said  to  be  regular  iS  it  is 
accepted  by  some  FLA.  It  follows  from  the  definition  of  FLAs  that  RFLs  are  downward 
closed.  Hence,  the  set  of  RFLs  is  closed  under  union  and  intersection  but  not  under 
complementation.^  In  addition,  every  RFL  is  accepted  by  an  unique  minimal  deterministic 
FLA.  The  following  Lemma  is  analogous  to  the  Myhill-Nerode  theorem  for  regular  languages 
and  ordinary  finite  automata. 


®  FLA  are  closely  related  to  automata  on  guarded  strings  [Kozen  01],  which  contain  arbitrary  transition  labels 
drawn  from  a  partially  ordered  set.  In  contrast,  the  state  labels  (refusals)  in  FLA  are  only  maximal  elements 
from  such  a  set.  Further,  since  it  suffices  to  consider  refusals  at  the  end  of  a  trace  for  checking  deadlock 
freedom,  we  only  label  the  final  states  of  an  FLA. 

^  For  example,  consider  S  =  {a}  and  the  RFL  L  =  S*  x  {0}.  Then  L  —  F*  x  {{a}}  is  not  downward-closed 
and  hence  is  not  an  RFL. 
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Lemma  2  Every  regular  failure  language(RFL)  is  aeeepted  by  an  unique  (up  to 
isomorphism)  minimal  deterministie  finite  failure  automaton. 


Proof.  Our  proof  follows  that  of  the  Myhill-Nerode  theorem  for  finite  automata.  Let  L  be 
any  RFL.  Let  us  define  an  equivalence  relation  =  over  T,*  as  follows: 

u  =  V  V(t,  R)  G  T,*  X  T, .  {u  •  t,  R)  £  L  {v  •t,R)  G  L 

For  any  u  G  S*,  we  denote  the  equivalence  class  of  u  by  [rt].  Let  us  define  a  finite  automaton 
G  =  (M,  F)  where  M  =  (5, 1 nit,  S,  5)  such  that:  (i)  5  =  {[u]  |  tt  G  S*},  (ii)  I  nit  =  {[e]},  (hi) 
Vrt  G  S*  .  Va  G  S  .  [w]  [u»  a],  and  (iv)  F  =  |[n]  |  3R  G  T, .  {u,  R)  G  l|. 

Also,  let  us  define  a  function  fx  as  follows:  Consider  any  [tt]  G  F  and  let  P  C  S  be  defined  as 
P  =  {R\  3v  .V  =  u  A  {v,R)  G  L}.  Note  that  since  [m]  G  F,  P  Then  fx{[u\)  =  Max{P). 
Let  A  be  the  FLA  (M,  F,  p). 

We  first  show  by  contradiction  that  A  is  deterministic.  First,  note  that  \Init\  =  1.  Next, 
suppose  that  A  is  nondeterministic.  Then  there  exists  two  traces  u  G  T,*  and  v  G  T,*  and  an 
action  a  G  S  such  that  u  =  v  but  u  •  a  ^  v  •  a.  Then  there  exists  a  failure  (t,  R)  such  that 
(u  •  a  •  t,  R)  G  L  (v  •  a  •  t,  R)  0  L.  But  then  there  exists  a  failure  (t',  R)  =  {a  •  t,  R) 

such  that  {u  •  t' ,  R)  G  L  (v  •  t' ,  R)  0  L.  This  implies  that  u  ^  v  which  is  a  contradiction. 

Next,  we  show  that:  (Cl)  for  any  trace  t,  5{Init,t)  =  [t].  The  proof  proceeds  by  induction 
on  the  length  of  t.  For  the  base  case,  suppose  t  =  e.  Then  5{Init,t)  =  Init  =  [e].  Now 
suppose  t  •  a  for  some  trace  t'  and  action  a.  By  the  inductive  hypothesis, 
d{Init,t')  =  [t^].  Also,  from  the  definition  of  A,  we  know  that  [t']  [t'  •  a].  Hence, 

S{Init,t)  =  6{Init,t'  •  a)  =  [t'  •  a]  =  [t].  This  completes  the  proof. 

Now  consider  any  DFLA  A'  =  (M',  F' ,  p,')  where  M'  =  {S' ,  Init' ,  S,  6')  such  that  J~-{A')  =  L. 
Let  us  define  a  function  It  :  S'  ^  S  as  follows:  Vt  G  S*  .  Il{5{Init' ,f))  =  S{Init,t).  First  we 
show  that  H  is  well-defined.  Consider  any  two  traces  u  and  v  such  that 
5{Init' ,  u)  =  5 {I nit' ,  v).  Then  for  any  failure  (t,  R),  A'  accepts  (n  •  t,  R)  iff  it  also  accepts 
{v  •t,R).  Since  A'  accepts  L,  we  find  that  u  =  v.  Combining  this  equality  with  Cl  above  we 
have  6{Init,u)  =  [u]  =  [u]  =  5{Init,v).  Therefore,  6{Init,u)  =  S{Init,v)  which  proves  that  H 
is  well-defined.  In  addition,  H  is  a  surjection  since  for  any  state  [rt]  of  A  we  have  the  following 
from  Cl  above:  [m]  =  S{Init,u)  =  PL{5{Init' ,u)). 

We  are  now  ready  to  prove  the  main  result.  In  essence,  we  show  that  A  is  the  unique 
minimal  DFLA  that  accepts  L.  We  have  already  shown  that  A  is  deterministic.  To  show  that 
C{A)  =  L  we  observe  that  for  any  trace  t  and  any  refusal  R,  the  following  holds: 

(t,  R)gL  ^  [t]GF  A3R'  G  p{[t])  .R(GR  ^  {t,R)  G  C{A) 

Next,  recall  that  H  defined  above  is  a  surjection.  Hence,  A'  must  have  at  least  as  many  states 
as  A.  Since  A'  is  an  arbitrary  DFLA  accepting  L,  A  must  be  a  minimal  DFLA  that  accepts 
L.  To  show  that  A  is  unique  up  to  isomorphism,  let  A'  be  another  minimal  DFLA  accepting 
L.  In  this  case,  H  must  be  a  bijection.  We  show  that  H  is  also  an  isomorphism. 
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Let  us  write  0“^  to  mean  the  inverse  of  O.  Note  that  0“^  is  also  a  bijection,  and  more 
specifically,  Vt  G  S*  .  =  6{Init',t).  We  will  now  prove  the  following 

statements: 

(C2)  Vl~^{Init)  =  Init' 

(C3)  Vu  G  S*  .  Vu  G  S*  .  Va  G  S  .  [u]  ^  [v]  ^  ^  ^~\[v]) 

(C4)  Vs  G  5  .  s  G  F  ^  n-\s)eF' 

(C5)  Vs  eF.fi{s)  =  fi'{n-\s)) 

First,  C2  holds  since  Vt~^{Init)  =  Vt~^{6{Init,e))  =  S{Init',e^  =  Init'.  To  prove  C3, 
suppose  that  [u]  [u].  Since  [u]  =  Sijnit,  u)  we  have  [u]  =  6{Init,  u»  a).  Hence, 

=  5{Init',u)  and  H“^([u])  =  5{Init' ,u  •  a).  But  this  implies  that 
^~^([^])  ^~^([^]))  which  proves  the  forward  implication.  For  the  reverse  implication 

suppose  that  H“^([u]).  Since  =  5{Init',u)  we  again  have 

H“^([u])  =  S{Init'  ,u  •  a).  Therefore,  [u]  =  6{Init,u)  and  [u]  =  5{Init,u  •  a),  and  hence 

M  ^  M- 

To  prove  C4,  consider  any  s  G  5  such  that  s  =  [«]  =  5{Init,  u).  Hence, 

H“^(s)  =  =  6{Init',u).  Then 

s  G  F  ^  [u]  G  F  ^  3R.{u,R)eL  ^  6{Init',u)  g  F'  ^  ^-^(s)  G  F' 

Finally,  we  prove  C5  by  contradiction.  Suppose  that  there  exists  s  =  [w]  G  F  such  that 
/i(s)  /  /u'(H“^(s)).  Without  loss  of  generality,  we  can  always  pick  a  refusal  R  such  that 
3R'  G  /x(s)  .  R(I  R'  and  VF'  G  /i'(H“^(s))  .  R  ^  R' .  Now,  we  also  know  that  s  =  5{Init,  u) 
and  =  S{Init',u).  Therefore,  {u,R)  G  C{A)  \  F(H'),  which  implies  that 

C{A)  =  L  ^  L  =  F(H'),  a  contradiction. 

Note  that  for  any  LTS  M,  F(M)  is  regular.®  Indeed,  the  failure  automaton  corresponding  to 
M  =  {S,  Init,  S,  (5)  is  H  =  (M,  S,  such  that  'Is  £  S  .  fj,{s)  =  Max{{R  \  Ref{s,  R)}). 


®  However,  there  exist  RFLs  that  do  not  correspond  to  any  LTS.  In  particular,  any  failure  language  L  corre¬ 
sponding  to  some  LTS  must  satisfy  the  following  condition:  3R  C  S  .  («:  F)  €  L.  Thus,  the  RFL  {(q;,0)} 
does  not  correspond  to  any  LTS. 
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4  Assume  Guarantee  for  Deadlock 


We  now  present  an  assume-guarantee  style  [Pnueli  85]  proof  rule  for  deadlock  detection  in 
systems  composed  of  two  components.  We  use  the  notion  of  parallel  composition  proposed  in 
the  theory  of  CSP  [Hoare  85]  and  define  it  formally. 

Definition  8  (LTS  Parallel  Composition)  Consider  LTSs  Mi  =  (5i, /nfti,  Si,  (5i)  and 
M2  =  (S'2, /nzt2,  S2,  <52).  Then  the  parallel  eomposition  of  Mi  and  M2,  denoted  by  Mi  11  M2, 
is  the  LTS  {Si  x  S2,  Initi  x  Init2,  Si  U  S2,  5),  sueh  that  ((si,  S2),  (-Si,  S2))  ^ 

following  holds: 

Vi  G  {1, 2}  .  (a  G  Sj  A  (sj,  a,  s'f)  G  5i)  V  (a  0  Sj  A  Sj  =  s'f) 

Without  loss  of  generality,  we  assume  that  both  Mi  and  M2  have  the  same  alphabet  S. 
Indeed,  any  system  with  two  components  having  different  alphabets,  say  Si  and  S2,  can  be 
converted  to  a  bisimilar  (and  hence  deadlock-equivalent)  system  [Chaki  05a]  with  two 
components,  each  having  the  same  alphabet  Si  U  S2.  Thus,  all  languages  and  automata  we 
consider  here  will  also  be  over  the  same  alphabet  S. 

We  now  extend  the  notion  of  parallel  composition  to  failure  languages.  Observe  that  the 
composition  involves  set-intersection  on  the  trace  part  and  set-union  on  the  refusal  part  of 
failures.  Proofs  of  all  the  lemma  are  detailed  in  Section  5. 

Definition  9  (Failure  Language  Composition)  The  parallel  eomposition  of  any  two 
failure  languages  Li  and  L2,  denoted  by  Li  jj  L2,  is  defined  as  follows: 

Li  jj  L2  =  {{t,  Ri  U  R2)  1  {t,  Ri)  G  Li  A  {t,  R2)  G  L2} 


Lemma  3  For  any  failure  languages  Li,L2,L[  and  L'2,  the  following  holds: 

{Li  C  L'l)  A  (L2  C  L'2)  {Li  11  L2)  C  {L'l  11  L'2) 

Proof  Let  {t,R)  be  any  failure  in  (Li  ||  L2).  Then  there  exists  refusals  Ri  and  R2  such  that: 
(A)  R  =  RiU  R2,  (B)  {t,  Ri)  G  Li  and  (C)  {t,  R2)  G  L2.  From  (B),  (C),  and  the  premise  of 
the  lemma,  we  have  (D)  {t,Ri)  G  L'^  and  (E)  (t,  i?2)  G  L'2.  But  then  from  (A),  (D),  (E) 
and  Definition  9,  we  have  {t,R)  G  {L'^  ||  L'2),  which  completes  the  proof. 


Definition  10  (FLA  Parallel  Composition)  Consider  two  FLAs  Ai  =  {Mi,  Fi,  m)  and 
A2  =  {M2,  F2, 10.2).  The  parallel  eomposition  of  Ai  and  A2,  denoted  by  Ai  11^2,®  is  defined  as 
the  FLA  {Ml  11  M2,Fi  x  F2,p)  sueh  that: 

h{si,S2)  =  Max{{Ri  Li  R2\  Ri  ^  hi{si)  A  i?2  G  h2{s2)}) 


We  overload  the  operator  U  to  denote  parallel  composition  in  the  context  of  both  LTSs  and  FLAs.  The 
actual  meaning  of  the  operator  will  be  clear  from  its  context. 
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Let  Ml,  M2  be  LTSs  and  Ai,A2  be  FLAs.  Then,  the  following  two  lemmas  bridge  the 
concepts  of  composition  between  automata  and  languages. 


Lemma  4  T{Mi  U  M2)  =  || 


Proof.  For  any  LTSs  Mi  and  M2  over  the  same  alphabet  S,  it  can  be  proved  that 
F{Mi  n  M2)  =  {{t,  Ri  U  R2)  I  (L  Ri)  G  T{Mi)  A  it,  R2)  G  T{M2)} 
The  lemma  then  follows  from  the  above  fact  and  Definition  9. 


Lemma  5  C{Ai  11  A2)  =  C{Ai)  ||  £(^2). 


Proof.  Let  Ai  =  {Mi,  Fi,  m)  and  A2  =  {M2,  F2,  fi2)  where  Mi  =  {Si,  Initi,Ti,6i)  and 
M2  =  {S2,  Init2,  S,  S2).  Then  we  know  that  Ai  11  A2  =  (Mi  11  M2,  Fi  x  F2,  n).  Let  {t,  R)  be 
any  element  of  C{Ai  11  A2).  Then,  we  know  that 

3(si,  S2)  G  6{Imti  X  Init2,t)  n  Fi  x  F2 . G  ^(si,  S2)  •  R  F  R' 

From  the  definition  of  we  find  that 

3Ri  G  /Ui(si)  .  3R2  G  ^2(52)  •  RF  RiU  R2 

Therefore,  {t,Ri)  G  C{Ai),  (t,i?2)  G  ^(^2))  and  {t,R)  G  C{Ai)  ||  £(^2).  This  statement 
proves  that  C{Ai  11  A2)  F  C{Ai)  ||  £(^2).  Now,  let  {t,R)  be  any  element  of  C{Ai)  ||  £(^2). 
Then,  we  know  that 

3si  G  5{Initi,f)  n  Fi .  3s2  £  6{Init2,  t)  D  F2 . 3Ri  G  lJ.i{si) .  3i?2  G  ^2{s2)  ■  i?  ^  i?i  U  i?2 

Therefore,  (si,  §2)  £  d{Initi  x  Init2,  t)  D  Fi  x  F2  and  3R'  G  /u(si,  S2)  •  R  F  R' .  Hence 
{t,  R)  G  C{Ai  n  A2).  This  show  that  C{Ai)  ||  £(^2)  F  C{Ai  H  A2)  and  completes  the  proof. 

Regular  Failure  Language  Containment  (RFLC).  We  develop  a  general  compositional 
framework  for  checking  RFLC.  This  framework  is  also  applicable  to  deadlock  detection  since, 
as  we  will  show  later,  deadlock  freedom  is  a  form  of  RFLC.  Recall  that  RFLs  are  not  closed 
under  complementation.  Given  RFLs  £1  and  £2,  it  is  not  possible  to  verify  £1  C  £2  in  the 
usual  manner  by  checking  if  £1  n  £2  =  0.  However,  as  is  shown  by  the  following  crucial 
lemma,  it  is  possible  to  check  containment  between  RFLs  using  their  representations  in  terms 
of  deterministic  FLA  without  having  to  complement  the  automaton  that  corresponds  to  £2. 


Lemma  6  Consider  any  FLA  Ai  and  A2.  Let  A'^  =  (Mi,  £1,^1)  and  A'2  =  (M2,  £2;  £2) 
the  FLA  obtained  by  determinizing  Ai  and  A2  respeetively,  and  let  Mi  =  {Si,  Initi,T,,  5i) 
and  M2  =  {S2,  Init2,'F‘,  62)-  Then  £(Ai)  C  £(^2)  iff  for  every  reaehable  state  (si,S2)  of 
Ml  H  M2  the  following  eondition  holds: 

Si  G  £1  (s2  G  £2  A  (V£i  G  ^i(si)  .  3R2  G  p^2{s2)  ■  Rl  F  R2)) 
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Proof.  First,  we  note  that  C{Ai)  =  C[A'.f)  and  C{A2)  =  CiyA'2).  Now  let 

-^1  =  ('S'l,  Initi,  S,  (5i)  and  M2  =  {S2,  Init2,  S,  62).  For  the  forward  implication,  we  prove  the 
contrapositive.  Suppose  that  there  exists  a  reachable  state  (si,  S2)  of  Mi  11  M2  such  that 

51  G  Fi  and  either  S2  0  F2  or  3Ri  G  ^i(si) .  Vi?2  G  /U2(s2)  ■  Ri  2  -^2-  Since  Mi  and  M2  are 
deterministic,  let  t  G  S*  be  a  trace  such  that  (si,S2)  =  6{Initi  x  Init2,t).  Now,  we  choose  a 
refusal  R  as  follows.  If  S2  0  F2  then  let  R  be  any  element  of  //i(si).  Otherwise  let  R  be  some 
Ri  G  ^i(si)  such  that  Vi?2  G  [^2(82)  ■  Ri  2  F2.  Now,  it  follows  that  (t,  R)  G  F{A'i)  \  £(^2)- 
Hence  C{A'.f)  %  £(^2)  therefore  £(2li)  ^  £(^2). 

For  the  reverse  implication  we  also  prove  the  contrapositive.  Suppose  C{Ai)  ^  £(^2)  and  let 
(t,  R)  be  any  element  of  £(2li)  \  C{A2)  =  £(^i)  \  £(212).  Let  si  =  5{Initi,t)  and 

52  =  S{Init2,t).  But  we  know  that  3iii  G  /Ui(si)  .  i?  C  i?i  and  either  S2  0  £2  or 
Vi?2  G  H2{s2)  .  i?  2  i?2-  However,  this  implies  that  si  G  £1  and  either  S2  0  £2  or 

3£i  G  /ii(si)  .  V£2  £  1^2 (S2) .  £1  2  £2-  In  addition,  (si,  S2)  is  a  reachable  state  of  Mi  H  M2. 
This  completes  the  proof. 

In  other  words,  we  can  check  if  £(Hi)  C  C{A2)  by  determinizing  Ai  and  A2,  constructing  the 
product  of  the  underlying  LTSs  and  checking  if  the  condition  in  Lemma  6  holds  on  every 
reachable  state  of  the  product.  In  essence,  the  condition  says  that  for  every  reachable  state 
(si,  52),  if  Si  is  final,  then  S2  is  also  final  and  each  refusal  £1  labeling  si  is  contained  in  some 
refusal  £2  labeling  S2- 

Now  suppose  that  £(^i)  is  obtained  by  composing  two  RFLs  £1  and  £2,  i.e.,  C{Ai)  = 

£1  II  £2  and  let  £(^2)  =  £5,  the  specification  language.  To  check  RFLC  between  £1  ||  £2 
and  £5,  the  approach  presented  in  Lemma  6  requires  us  to  directly  compose  £1,  £2  and  £5, 
a  potentially  expensive  computation.  In  the  following,  we  first  show  that  checking 
deadlock-freedom  is  a  particular  case  of  RFLC  and  then  present  a  compositional  technique  to 
check  RFLC  (and  hence  deadlock-freedom)  that  avoids  composing  £1  and  £2  (or  their  FLA 
representations)  directly. 

Deadlock  as  RFLC.  Given  three  RFLs  £1,  £2  and  £5,  we  can  use  our  regular  language 
containment  algorithm  to  verify  whether  (£1  ||  £2)  £  £5.  If  this  is  the  case,  then  our 
algorithm  returns  TRUE.  Otherwise  it  returns  FALSE  along  with  a  counterexample 
CE  G  (£1  II  £2)  \  Ls-  Also,  we  assume  that  £1,  £2  and  £5  are  represented  as  FLA.  To  use 
our  algorithm  for  deadlock  detection,  recall  that  for  any  two  LTSs  Mi  and  M2,  Mi  H  M2  is 
deadlock  free  iff  F{Mi  H  M2)  £  £_Difc-  Let  £1  =  F{Mi),  £2  =  F{M2)  and  £5  =  Ljoik-  Using 
Lemma  4,  this  deadlock  check  reduces  to  verifying  if  £1  ||  £2  £  £5.  Observe  that  we  can  use 
our  RFLC  algorithm  provided  £1,  £2  and  £5  are  regular.  Recall  that  since  Mi  and  M2  are 
LTSs,  £1  and  £2  are  regular.  Also,  £_D«fc  is  regular,  since  it  is  accepted  by  the  failure 
automaton  A  =  (M,  F,  ji)  such  that:  (i)  M  =  ({s}  ,  {s}  ,  S,  d),  (ii)  5  =  |s  ^  |  q-  g  (iii) 
F  =  {s},  and  (iv)  p,(s)  =  Max({R  |  R  C  S}).  For  instance,  if  S  =  {a,  b,  c},  then 
fi{s)  =  {{a,  b}  ,  {b,  c}  ,  {c,  a}}.  Thus,  we  find  that  deadlock  detection  is  just  a  specific  instance 
of  RFLC. 

Suppose  we  are  given  three  RFLs  £1,  £2  and  Ls  in  the  form  of  their  accepting  FLA  Ai,  A2 
and  As-  To  check  £1  ||  £2  £  £5,  we  can  construct  the  FLA  Ai  H  A2  (see  Lemma  10)  and 
then  check  if  C{Ai  H  A2)  £  E{As)  (see  Lemma  5  and  6).  The  problem  with  this  naive 
approach  is  statespace  explosion.  To  alleviate  this  problem,  we  present  a  compositional 
language  containment  scheme  based  on  AG-style  reasoning  in  the  next  section. 
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4.1  A  Non-Circular  AG  Rule 


Consider  RFLs  Li,  L2  and  L5.  We  are  interested  in  checking  whether  Li  ||  L2  ^  Ls-  In  this 
context  the  following  non-circular  AG  proof  rule,  called  AG-NC,  is  both  sound  and 
complete: 


Li  II  La  ^  Ls _ L2  C  La 

Li  II  L2  C  Ls 

Proof.  The  completeness  of  AG-NC  follows  from  the  fact  that  if  the  conclusion  holds,  then 
L2  can  be  used  as  La  to  discharge  the  two  premises.  To  prove  soundness,  let  us  assume  that 
the  two  premises  hold.  Then  from  the  second  premise  and  Lemma  3,  we  have 
Li  II  L2  C  Li  II  La-  Combining  this  statement  with  the  first  premise,  we  get  Li  ||  L2  C  Ls 
which  is  the  desired  conclusion. 

In  principle,  AG-NC  enables  us  to  prove  Ti  ||  L2  C  by  discovering  an  assumption  La 
that  discharges  its  two  premises.  In  practice,  we  are  left  with  two  critical  problems.  First,  it 
provides  no  effective  method  for  constructing  an  appropriate  assumption  La-  Second,  if  no 
appropriate  assumption  exists;  that  is,  if  the  conclusion  of  AG-NC  does  not  hold,  then 
AG-NC  does  not  help  in  obtaining  a  counterexample  to  Li  ||  L2  C  Ls-  In  this  report  we 
develop  and  employ  a  learning  algorithm  that  solves  both  the  above  problems.  Specifically, 
our  algorithm  learns  automatically  and  incrementally  the  weakest  assumption  Lyy  that  can 
discharge  the  first  premise  of  AG-NC.  During  this  process,  it  is  guaranteed  to  reach  one  of 
the  following  two  situations  in  a  finite  number  of  steps  and  to  terminate  with  the  correct 
result: 

1.  It  discovers  an  assumption  that  can  discharge  both  premises  of  AG-NC 
and  terminates  with  true. 

2.  It  discovers  a  counterexample  C E  to  Li  \\  L2  Ls  and  returns  false 
along  with  CE. 

We  present  complete  details  of  our  algorithm,  as  well  as  its  complexity,  later  in  Section  5. 
First  we  discuss  formally  the  notion  of  the  weakest  assumption  Lw. 

4.2  Weakest  Assumption 

Consider  the  proof  rule  AG-NC.  For  any  Li  and  Ls,  let  L  be  the  set  of  all  languages  that 
can  discharge  the  first  premise  of  AG-NC.  In  other  words,  L  =  {La  \  (Li  ||  La)  E  Ls}-  The 
following  central  theorem  asserts  that  L  contains  a  unique  weakest  (maximal)  element  Lw 
that  is  also  regular.  This  result  is  crucial  for  showing  the  termination  of  our  approach. 


Theorem  1  Let  Li  and  Ls  be  any  RFLs  and  f  is  a  failure.  Let  us  define  a  language  Lw  as 
follows:  Lw  =  {/  I  (Li  II  {/})  C  Ls}.  Then  the  following  holds:  (i)  Li  ||  Ly/  C  Ls,  (ii) 

VL .  Li  II  L  C  L5  L  C  Lyy,  and  (Hi)  Lyy  is  regular. 
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Proof.  We  first  prove  (i)  by  contradiction.  Suppose  there  exists  G  Li  and  G  L]y 

such  that  (t,  Ri  U  R2)  0  Ls-  But  then  (t,  Ri  U  R2)  G  Li  ||  {{t,  R2)}  which  means 
Li  II  {(t,  i?2)}  2  ^S-  However,  this  contradicts  (t,  i?2)  G  Lw- 

Now,  we  only  prove  the  forward  implication  of  (ii).  The  reverse  implication  follows  from  (i) 
and  Lemma  3.  This  proof  is  also  by  contradiction.  Suppose  there  exists  a  language  L  such 
that  Li  II  L  C  Ls  and  L  ^  L^y.  Then  there  exists  some  (t,  i?2)  G  L  \  Liy.  But  since 
(t,  R2)  0  L]y,  there  exists  {t,  Ri)  G  Li  such  that  (t,  Ri  U  R2)  0  Ls-  However,  this  means  that 
(t,  i?i  U  R2)  G  Li  II  L,  which  contradicts  Li  ||  L  C  L5. 

Finally,  to  prove  that  L\y  is  regular  we  construct  an  FLA  Aw  such  that  C{Aw)  =  Lw-  Let 
Ai  =  (Mi,Fi,|Ui)  and  As  =  {Ms,  Fs,  Ls)  be  deterministic  and  complete  FLA  accepting  Li 
and  Ls  respectively  such  that  Mi  =  {Si,  Initi,'L,6i)  and  Ms  =  {Ss,  Inits,'F‘,Ss).  Then 
Aw  =  {Ml  H  Ms,  Fw,Lw)-  To  define  the  set  of  final  states  Fw  and  the  labeling  function  ^w 
of  Aw,  we  define  the  extended  labeling  function  fi  :  S  ^  2^  oi  any  FLA  as  follows: 
fi{s)  =  ^{s)  if  s  is  a  final  state  and  0  otherwise.  Then  the  extended  labeling  function  of  Aw 
is  defined  as  follows: 

V'{si,  S5)  =  G  S  I  Vi?i  G  fi{si)  .  3Rs  G  l{ss)  ■  {Ri  A  R)  C  ii5| 

Note  that  the  set  'j2{si,ss)  is  always  downward-closed.  In  other  words 

Vi?  G  S  .  Vi?'  G  S  .  i?  G  l{si,  Ss)  A  i?'  C  i?  i?'  G  fi{si,  Ss) 

Then  the  definitions  of  Fw  and  ^w  follow  naturally  as  below: 

Fw  =  {(si,  Ss)  I  l{si,  ss)  /  0} 

V(si,  Ss)  G  Fw  .  Lw{si,  ss)  =  Max{Jl{si,ss)) 

Note  that  since  Ai  and  As  are  both  deterministic  and  complete,  so  is  Aw-  Also,  for  any 
state  (si,ss)  of  Aw  and  any  t  G  S*,  we  have  5{{si,  ss),t)  =  {6{si,t),S{ss,t)).  We  now  prove 
that  C{Aw)  =  Fw-  Consider  any  failure  {t,R)  G  (S*  x  S).  Let  (si,ss)  =  5{{Initi,  Inits),t). 
We  consider  two  sub-cases. 

Case  1  [(t,  i?)  G  C{Aw)\-  Then  we  know  that  i?  G  fi{si,  ss)-  Now  consider  the  language 
L  =  Li  II  {{t,  i?)}.  By  Definition  9,  any  element  of  L  must  be  of  the  form  {t,  i?i  U  i?)  for  some 
i?i  G  l{si).  Also,  from  the  definition  of  fi  above  we  have  3i?s  G  l{ss)  ■  (i?i  U  i?)  C  i?^. 

Hence  {t,  i?i  U  i?)  G  Ls-  Since  {t,  i?i  U  i?)  is  an  arbitrary  element  of  L  we  conclude  that 
L  C  Ls-  Hence,  from  the  definition  of  Lw  above  we  have  {t,  R)  G  Lw  which  completes  the 
proof  of  this  subcase. 

Case  2  [(t,  i?)  0  C{Aw)\-  In  this  case,  R  0  fi{si,ss)-  Then,  from  the  definition  of  fi  above, 

we  have  3i?i  G  /i(si)  ■  Vi?s  G  l{ss)  ■  {Ri  U  i?)  ^  Rs-  Now  consider  the  language 

L  =  Li  II  {{t,  R)}-  By  Definition  9,  {t,  i?i  U  i?)  G  L.  However,  from 

yRs  G  l{ss)  ■  {Ri  U  i?)  2  Rs,  we  have  {t,  i?i  U  i?)  0  Ls-  Hence,  L  g  Ls-  Thus,  from  the 

definition  of  Lw  above  we  have  {t,  R)  0  Lw,  which  completes  the  proof  of  this  subcase  and  of 

the  entire  theorem. 

Now  that  we  have  proved  that  the  weakest  environment  assumption  Lw  is  regular,  we  can 
apply  a  learning  algorithm  to  iteratively  construct  an  FLA  assumption  that  accepts  Lw-  In 
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particular,  we  develop  a  learning  algorithm  that  iteratively  learns  the  minimal  DFLA 
corresponding  to  Lw-  asks  queries  about  Lw  to  a  minimally  adequate  teacher  (MAT) 
and  learns  from  the  answers.  In  the  next  Section,  we  present  .  Subsequently,  in  section  6, 
we  describe  how  is  used  in  our  compositional  language  containment  procedure.  If  you  are 
only  interested  in  the  overall  compositional  deadlock-detection  algorithm  and  not  the 
intricacies  of  you  should  skip  to  Section  6. 
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5  Learning  FLA 


In  this  section  we  present  an  algorithm  to  learn  the  minimal  FLA  that  accepts  an 
unknown  RFL  U .  Our  algorithm  will  use  a  minimally  adequate  teacher  (MAT)  that  can 
answer  two  kinds  of  queries  regarding  U: 

1.  membership  query:  Given  a  failure  e,  the  MAT  returns  true  if  e  G  1/ 
and  FALSE  otherwise. 

2.  candidate  query:  Given  a  DFLA  C,  the  MAT  returns  true  if  C{C)  =  U. 
Otherwise,  it  returns  false  along  with  a  counterexample  failure 
CEe{C{C)\U)  U  {U\C{C)). 

5.1  Observation  Table 

uses  an  observation  table  to  record  the  information  it  obtains  by  querying  the  MAT.  The 
rows  and  columns  of  the  table  correspond  to  specific  traces  and  failures  respectively. 
Formally,  a  table  is  a  triple  (T,IE,M)  where:  (i)  T  C  S*  is  a  set  of  traces;  (ii)  IE  C  S*  x  S  is  a 
set  of  failures  or  experiments;  and  (iii)  M  is  a  function  from  T  x  IE  to  {0, 1}  where 
T  =  T  U  (T  •  S).  For  any  table  T  =  (T,IE,M),  the  function  M  is  defined  as  follows: 

Vt  G  T  .  Ve  =  {t' ,  i?)  G  IE  .  M(t,  e)  =  1  <;=^  {t  •  t' ,  R)  G  U 

Thus,  given  T  and  IE,  algorithm  can  compute  M  via  membership  queries  to  the  MAT.  For 
any  t  G  T,  we  write  M(t)  to  mean  the  function  from  IE  to  {0, 1}  defined  as  follows: 

Ve  G  IE  .  M(t)(e)  =  M(t,  e) 

An  observation  table  T  =  (T,IE,M)  is  said  to  be  well-formed  iff  the  following  holds: 

Vti  G  T  .  Vt2  G  T  .  /  t2  ^{h)  /  K(t2) 

Essentially,  this  means  that  any  two  distinct  rows  ti  and  t2  of  a  well-formed  table  can  be 
distinguished  by  some  experiment  e  G  IE.  There  is  also  an  upper  bound  on  the  number  of 
rows  of  any  well-formed  table,  as  expressed  by  the  following  lemma. 


Lemma  7  Let  n  be  the  number  of  states  of  the  minimal  DFLA  aeeepting  U  and  let 
T  =  (T,IE,M)  be  any  well-formed  observation  table.  Then  |T|  <  n. 


Proof.  The  proof  is  by  contradiction.  Suppose  that  |T|  >  n.  Let  the  minimal  DFLA 
accepting  U  be  A.  Then  there  exists  two  distinct  traces  ti  and  t2  in  T  such  that 
5{Init,ti)  =  5{Init,t2).  In  other  words,  the  FLA  A  reaches  the  same  state  on  input  ti  and 
t2.  But  since  T  is  well- formed,  there  exists  some  failure  e  =  {t,p)  G  IE  such  that 
M(ti,  e)  /  K(t2,  e).  In  other  words,  {ti  •  t,p)  G  U  lE  {t2  •t,p)  0  U.  This  case  is  impossible, 
since  A  would  reach  the  same  state  on  inputs  ti  •  t  and  t2  •  t. 
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Input:  Well-formed  observation  table  T  =  (T,IE,M) 
while  T  is  not  closed  do 

pick  t  G  T  and  a  G  S  such  that  Vt'  G  T  .  M.{t  •  a)  /  M(t') 
add  t  •  a  to  T  and  update  M  accordingly 

return  T 


Figure  2:  Algorithm  MakeClosed. 


Closed  Observation  Table.  An  observation  table  T  =  (T,IE,M)  is  said  to  be  closed  iff  it 
satisfies  the  following: 


Vt  G  T  .  Vo  G  S  .  G  T  .  M(f  •  a)  =  M(t') 

Intuitively,  if  we  extend  any  trace  t  G  T  by  any  action  a,  then  the  result  is  indistinguishable 
from  an  existing  trace  t'  gT  under  the  current  set  of  experiments  E.  Note  that  any 
well- formed  table  can  be  extended  so  that  it  is  both  well- formed  and  closed.  This  extension 
can  be  achieved  by  the  algorithm  MakeClosed  shown  in  Figure  2.  Observe  that  at  every 
step  of  MakeClosed,  the  table  T  remains  well-formed  and  hence,  by  Lemma  7,  cannot  grow 
infinitely.  Also  note  that  restricting  the  occurrence  of  refusals  to  E  allows  us  to  avoid 
considering  the  exponential  possible  refusal  extensions  of  a  trace  while  closing  the  table. 
Exponential  number  of  membership  queries  are  required  only  if  all  possible  refusals  occur  in 
E. 

5.2  Overall  Algorithm 

Algorithm  is  iterative.  It  initially  starts  with  a  table  T  =  (T,E,M)  such  that  T  =  {e}  and 
E  =  0.  The  initial  table  is  well-formed.  Subsequently,  in  each  iteration  performs  the 
following  steps: 

1.  Make  T  closed  by  invoking  MakeClosed. 

2.  Construct  candidate  DFLA  C  from  T  and  make  candidate  query  with  C. 

3.  If  the  answer  is  true,  terminates  with  C  as  the  final  answer. 

4.  Otherwise,  uses  the  counterexample  CE  to  the  candidate  query  to  add 
a  single  new  failure  to  E  and  repeats  from  Step  1. 

In  each  iteration,  either  terminates  with  the  correct  answer  (Step  3)  or  adds  a  new  failure 
to  E  (Step  4).  In  the  latter  scenario,  the  new  failure  to  be  added  is  constructed  so  that  it 
guarantees  an  upper  bound  on  the  total  number  of  iterations  of  .  This  construction 
ensures  its  ultimate  termination.  We  now  present  the  procedures  for:  (i)  constructing  a 
candidate  DFLA  C  from  a  closed  and  well-formed  table  T  (used  in  Step  2  above),  and  (ii) 
adding  a  new  failure  to  E  based  on  a  counterexample  to  a  candidate  query  (Step  4). 
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5.3  Candidate  Construction 


Let  T  =  (T,IE,M)  be  a  closed  and  well-formed  observation  table.  The  candidate  DFLA  C  is 
constructed  from  T  as  follows:  C  =  (M,  F,  fi)  and  M  =  {S,  Init,  S,  S)  such  that 

•  S'  =  T  :  Each  state  of  M  corresponds  to  a  distinct  row  of  T. 

•  Init  =  e  :  The  initial  state  of  M  corresponds  to  the  empty  trace.  The 
empty  trace  always  belongs  to  T,  since  initially  T  =  {e}  and  subsequently 
T  grows  monotonically. 

•  (5  is  constructed  as  follows:  Consider  any  t  G  T  and  a  G  T,.  Since  T  is 

well-formed  and  closed,  we  know  that  there  exists  an  unique  t'  gT  such 
that  M(t  •  a)  =  Then,  we  add  t  t'  to  d.  In  other  words 

5  =  |t  t'  I  M(t  •  a)  = 

•  The  state  corresponding  to  a  row  t  is  final  if  there  exists  a  successful  failure 
e  G  IE  from  t  such  that  the  trace  component  of  e  is  empty.  In  other  words 

F  =  {t  \  3e  =  {e,  p)  G  K  .  M(t,  e)  =  1} 

Finally,  the  mapping  p  is  constructed  as  follows.  Let  t  G  F  he  any  final  state  of  M.  Consider 
the  set  P  =  {i?  I  e  =  (e,  i?)  G  IE  A  M(t,  e)  =  1}.  From  the  definition  of  F  above,  we  know  that 
P  7^  0.  Then  p(t)  =  Max{P).  We  now  present  the  algorithm  to  add  new  failures  to  T  using 
a  counterexample  CP  to  a  candidate  query  made  with  a  DFLA  C  constructed  as  above. 

5.4  Adding  New  Failures 

Let  C  =  (M,  F,  p)  be  a  candidate  DFLA  such  that  M  =  (S',  Init,  S,  5).  Let  CE  =  (t,  R)  be  a 
counterexample  to  a  candidate  query  made  with  C.  In  other  words, 

CE  G  C{C)  CE  0  U .  The  algorithm  NewExp  adds  a  single  new  failure  to  T  as 

follows.  Let  t  =  ai  •  . . .  •  at-  For  0  <  i  <  k,  let  U  be  the  prefix  of  t  of  length  i  and  f  be  the 
suffix  of  t  of  length  k  —  i.  In  other  words,  for  0  <  i  <  k,  we  have  ti  •C  =  t. 

Additionally,  for  0  <  i  <  A:,  let  Si  be  the  state  of  C  reached  by  executing  tj.  In  other  words. 

Si  =  5{ti).  Since  the  candidate  C  was  constructed  from  an  observation  table  T,  it 
corresponds  to  a  row  of  T,  which  in  turn  corresponds  to  a  trace.  Let  us  also  refer  to  this 
trace  as  Sj.  Finally,  let  6*  =  1  if  the  failure  (s*  •  C,  G  U  and  0  otherwise.  Note  that  we  can 
compute  bi  by  evaluating  Sj  and  then  making  a  membership  query  with  (sj  •  In 

particular,  sq  =  and  hence  6o  =  1  if  CE  G  U  and  0  otherwise.  We  now  consider  two  cases. 

Case  1:  [6o  =  0]  means  that  CE  0  U  and  hence  CE  G  E{C).  Recall  that  CE  =  {t,R)  and 
t  =  oi  •  . . .  •  afc.  Consider  the  state  Sk  =  5{t)  as  described  above.  Since  CE  G  C{C),  we  know 
that  Sk  G  F  and  3R'  G  p{sk)  ■  R  F  R' ■ 

Also,  since  C  was  constructed  (see  Section  5.3)  from  a  table  T  =  (T,IE,M),  we  know  that 
{e,R')  G  IE  and  'R{sk,R')  =  1.  However,  this  means  that  the  failure  {sk,R')  G  U.  Since 
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R  C  R\  it  follows  that  {sk,R)  G  U  and  therefore  bk  =  1.  Since  bo  =  0  and  bk  =  1,  there  exists 
an  index  j  G  {0, . . . ,  /c}  such  that  bj  =  0  and  bj+i  =  1.  In  this  case,  finds  such  an  index  j 
and  adds  the  failure  R)  to  E.  We  now  show  that  the  failure  e  =  R)  has  a  special 

property. 

Since  C  contained  a  transition  sj  'Sj+i)  h  must  be  the  case  that  M(sj  •  aj+i)  =  M(sj-i-i). 
However,  M(sj  •  aj+i,  e)  =  bj  /  bj+i  =  M(sj+i,  e).  Thus,  after  adding  e  to  E,  the  table  is  no 
longer  closed.  Hence,  when  attempts  to  make  T  closed  in  the  very  next  iteration,  it  will 
be  forced  to  increase  the  number  of  rows  of  T  by  at  least  one. 

Case  2:  [6o  =  1]  means  that  CE  G  U  and  hence  CE  0  T(C').  We  consider  two  subcases. 
First,  suppose  that  bk  =  0.  Then  there  exists  an  index  j  G  {0, . . .  ,k}  such  that  bj  =  1  and 
=  0.  In  this  case,  finds  such  an  index  j  and  adds  the  failure  R)  to  E.  As  in 

Case  1  above,  this  guarantees  that  the  number  of  rows  of  T  must  strictly  increase  in  the  next 
iteration  of  . 

Otherwise,  we  have  6^  =  1,  but  this  means  that  the  failure  {sk,R)  G  U.  However,  since 
CE  ^  C{C)  we  know  that  either  Sk  is  not  a  final  state  of  C  or  \/R!  G  /u(sfc)  ■  R  2  t^iis 

scenario,  computes  a  maximal  element  Rmax  such  that  R  C  and  {sk,Rmax)  £  U.  It 

then  adds  the  failure  (e,  Rmax)  to  E. 

The  addition  of  (e,  Rmax)  to  E  must  lead  to  at  least  one  of  two  consequences  in  the  next 
iteration  of  in  terms  of  the  next  computed  candidate  DFLA.  First,  the  number  of  rows  of 
T  and  states  of  the  candidate  may  increase.  Otherwise,  either  the  state  Sk  changes  from  a 
non-final  to  a  final  state  or  the  set  ji{sk)  gets  an  additional  element,  namely,  Rmax- 

Relationship  Between  and  L*.  Although  and  L*  are  similar  in  their  overall 
structure,  there  are  a  number  of  differences.  First,  since  learns  a  failure  automaton,  the 
columns  of  the  observation  table  store  failures  instead  of  traces  as  in  L* .  Second,  when 
learns  from  a  counterexample,  every  iteration  may  not  involve  an  increase  in  the  number  of 
states;  instead,  the  failure  label  on  one  or  more  states  may  be  enlarged. 

5.5  Correctness  of 

Algorithm  always  returns  the  correct  answer  in  Step  3,  since  it  always  does  so  after  a 
successful  candidate  query.  To  confirm  that  always  terminates,  observe  that  in  every 
iteration,  the  candidate  C  that  computes  undergoes  at  least  one  of  these  three  changes: 

.  (Chi)  The  number  of  states  of  C  and  the  number  of  rows  in  the 
observation  table  T,  increases. 

•  (Ch2)  The  states  and  transitions  of  C  remain  unchanged,  but  a  state  of  C 
that  was  previously  non-final  becomes  final. 

•  (Ch3)  The  states,  transitions  and  final  states  of  C  remain  unchanged,  but 
for  some  final  states  s  of  C,  the  size  of  iJ,{s)  increases. 

Of  the  above  changes,  Chi  can  happen  at  most  n  times  where  n  is  the  number  of  states  of 
the  minimal  DFLA  accepting  U.  Between  any  two  consecutive  occurrences  of  Chi,  there  can 
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only  be  a  finite  number  of  occurrences  of  Ch2  and  Ch3.  Hence,  there  can  only  be  a  finite 
number  of  iterations  of  .  Therefore,  always  terminates. 

Number  of  Iterations.  To  analyze  the  complexity  of  we  must  impose  a  tighter  bound 
on  the  number  of  iterations.  We  already  know  that  Chi  can  happen  at  most  n  times.  Since 
a  final  state  can  never  become  non-final,  Ch2  can  also  occur  at  most  n  times.  Now,  let  the 
minimal  DFLA  accepting  U  he  A  =  (M,  F,  fi)  such  that  M  =  (5,  Init,  S,  S).  Consider  the  set 
P  =  U.6F  IJ,{s)  and  let  n'  =  |P|.  Since  each  Ch3  adds  an  element  to  ^{s)  for  some  s  G  F,  the 
total  number  of  occurrences  of  Ch3  is  at  most  n'.  Therefore,  the  maximum  number  of 
iterations  of  is  2n  -|-  n'  =  0{n  +  n'). 

Time  Complexity.  Let  us  make  the  standard  assumption  that  each  MAT  query  takes  0(1) 
time.  From  the  above  discussion,  we  see  that  the  number  of  columns  of  the  observation  table 
is  at  most  0(n  +  n').  The  number  of  rows  is  at  most  0(n).  Let  us  assume  that  the  size  of  S 
is  a  constant.  Then,  the  number  of  membership  queries,  and  hence  time,  needed  to  fill  up  the 
table  is  0(n(n  +  n')). 

Let  m  be  the  length  of  the  longest  counterexample  returned  by  a  candidate  query.  Then  to 
add  each  new  failure,  we  have  to  make  0(log(m))  membership  queries  to  find  the  appropriate 
index  j.  Also,  let  the  time  required  to  find  the  maximal  element  Rmax  be  0(m').  The  total 
time  required  for  constructing  each  new  failure  is  0({n  +  n'){log{m)  +  m')).  Finally,  the 
number  of  candidate  queries  equals  the  number  of  iterations  and  hence  is  0{n  +  n').  In 
summary,  we  find  that  the  time  complexity  of  is  0((n  -|-  n')(n  -\-  log(m)  +  m')),  which  is 
polynomial  in  n,  n',  m  and  mh 

Space  Complexity.  Let  us  again  make  the  standard  assumption  that  each  MAT  query 
takes  0(1)  space.  Since  the  queries  are  made  sequentially,  the  total  space  requirement  for  all 
of  them  is  still  0(1).  Also,  the  procedure  for  constructing  a  new  failure  can  be  performed  in 
0(1)  space.  A  trace  corresponding  to  a  table  row  can  be  0(n)  long,  and  there  are  0(n)  of 
them.  A  failure  corresponding  to  a  table  column  can  be  0(m)  long,  and  there  are  0(n  +  n') 
of  them.  Space  required  to  store  the  table  elements  is  0(n(n  +  n')).  Hence  the  total  space 
required  for  the  observation  table  is  0((n  +  m)(n  +  n')).  The  space  required  to  store 
computed  candidates  is  O(n^).  Therefore,  the  total  space  complexity  is  0((n  -|-  m)(n  +  n')), 
which  is  also  polynomial  in  n,  n'  and  m. 
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6  Compositional  Language  Containment 


Given  RFLs  Li,  L2  and  L5  (in  the  form  of  FLA  that  accept  them),  we  want  to  check  whether 
Li  II  -L2  C  L5.  If  not,  we  also  want  to  generate  a  counterexamples  CE  G  (Li  ||  L2)  \  To 
this  end,  we  invoke  the  algorithm  to  learn  the  weakest  environment  corresponding  to  Li 
and  Ls-  We  present  an  implementation  strategy  for  the  MAT  to  answer  the  membership  and 
candidate  queries  that  poses.  In  the  following,  we  assume  that  Ai,  A2  and  As  are  the 
given  FLAs  such  that  C{Ai)  =  Li,  £(^2)  =  L2  and  C{As)  =  Ls- 

Membership  Query.  The  answer  to  a  membership  query  with  failure  e  =  (t,  R)  is  true  if 
the  following  condition  (which  can  be  effectively  decided)  holds  or  is  otherwise  false: 

V(t,  Ri)  G  Li .  {t,  RiUR)  G  Ls- 

Candidate  Query.  A  candidate  query  with  an  FLA  C  is  answered  step-wise  as  follows: 

1.  Check  if  C{Ai  11  C)  C  C[As).  If  not,  let  (t,  Ri  U  R)  be  the  counterexample 
obtained.  Note  that  {t,  R)  G  C{C)  \  U.  We  return  false  to  along  with 
the  counterexample  {t,R).  If  £(Ai  11  C)  C  £(^5),  we  proceed  to  Step  2. 

2.  Check  if  £(^2)  C  C{C).  If  so,  we  have  obtained  an  assumption,  namely, 

£((7),  that  discharges  both  premises  of  AG-NC.  In  this  case,  the  overall 
language  containment  algorithm  terminates  with  true.  Otherwise,  let 
{t',R')  be  the  counterexample  obtained.  We  proceed  to  Step  3. 

3.  We  check  if  there  exists  (£,  R[)  G  £(Ai)  such  that  (£,  R[  U  R')  0  £(^5).  If 
so,  then  (£,  R[  U  R')  G  C{Ai  11  A2)  \  C{As),  and  the  overall  language 
containment  algorithm  terminates  with  FALSE  and  the  counterexample 

(£,  R'l  U  R').  Otherwise,  (£,  R')  G  U  \  £(£),  and  we  return  false  to 
along  with  the  counterexample  {t',R!). 

Note  that  in  these  queries,  we  are  never  required  to  compose  Ai  with  A2.  In  practice,  the 
candidate  C  (that  we  compose  with  Ai  in  Step  1  of  the  candidate  query)  is  much  smaller 
than  A2.  Thus,  we  are  able  to  alleviate  the  statespace  explosion  problem.  Also,  note  that  our 
procedure  will  ultimately  terminate  with  the  correct  result  from  either  Step  2  or  3  of  the 
candidate  query.  This  assumption  follows  from  the  correctness  of  algorithm:  In  the  worst 
case,  the  candidate  query  will  be  made  with  an  FLA  C  such  that  C{C)  =  LvF-  In  this 
scenario,  termination  is  guaranteed  to  occur  due  to  Theorem  1. 
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7  Arbitrary  Components  and  Circularity 


We  investigated  two  approaches  for  handling  more  than  two  components.  First,  we  applied 
AG-NC  recursively.  This  approach  can  be  demonstrated  for  languages  Li,  L2,  T3  and  L5  by 
the  following  proof-rule. 


L2  II  C  C 

Li  II  L\  C  Ls  L2  II  Ls  C  L\ 

Li  II  L2  II  L3  C  Ls 

At  the  top  level,  we  apply  AG-NC  on  the  two  languages  Li  and  L2  ||  T3.  Now  the  second 
premise  becomes  T2  ||  T3  C  and  we  can  again  apply  AG-NC.  In  terms  of  the 
implementation  of  the  MAT,  the  only  difference  is  in  Step  2  of  the  candidate  query  (see 
Section  6).  More  specifically,  we  now  invoke  the  language  containment  procedure  recursively 
with  £(^2),  £(^3)  and  C{C)  instead  of  checking  directly  for  £(^2)  C  £((£).  This  technique 
can  be  extended  to  any  finite  number  of  components. 

Circular  AG  Rule.  We  also  explored  a  circular  AG  rule.  Unlike  AG-NC  however,  the 
circular  rule  is  specific  to  deadlock  detection  and  not  applicable  to  language  containment  in 
general.  For  any  RFL  £,  let  us  write  W{L)  to  denote  the  weakest  assumption  against  which 
L  does  not  deadlock.  In  other  words,  VL' .  L  \\  L'  (L  L'  C  W{L).  It  can  be  shown 

that:  (PROP)  Vt  G  S*  .  Vi?  T, .  {t,  R)  ^  L  {t,  S  \  i?)  0  W{L).  The  following  theorem 
provides  a  circular  AG  rule  for  deadlock  detection. 


Theorem  2  Consider  any  two  RFLs  Li  and  £2-  Then  the  following  proof  rule,  whieh  we 
eall  AG-Circ,  is  both  sound  and  eomplete. 


Li 


L\ 


T  L^ik  £2  II  L\  C  Ldi^ 

W{L\)  II  W{L\)  C  £^ 


£1  II  £2  ^  Loik 

Proof.  We  first  prove  soundness  by  contradiction.  Assume  that  three  premises  hold  but  the 

conclusion  does  not.  There  exists  a  trace  t  and  a  refusal  R  such  that  (£  R)  G  £1  and 

(t,  S  \  i?)  G  £2.  From  the  first  premise,  we  see  that  {t,  S  \  i?)  0  £^.  Similarly,  from  the 

second  premise,  we  get  {t,R)  0  L\.  Therefore,  we  have  {t,R)  G  IU(£j^)  and 

(£  S  \  i?)  G  W{L\).  But  then  (£  S)  G  W{L\)  ||  IU(£^),  which  contradicts  the  third  premise. 

We  now  prove  completeness.  Let  us  assume  the  conclusion.  We  show  that  if  we  set 
£^  =  IU(£i)  and  £^  =  IU(£2),  then  all  three  premises  are  satisfied.  The  first  two  premises 
follow  from  the  definitions  of  IU(£i)  and  IU(£2).  We  prove  the  third  premise  by 
contradiction.  Suppose  there  exists  a  trace  t  and  a  refusal  R  such  that  {t,  R)  G  IU(IU(£i)) 
and  {t,  S  \  ii)  G  IU(IF(£2)),  but  then  we  know  that  {t,  S  \  £)  0  IU(£i)  and  {t,  R)  0  IF(£2). 
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However,  this  supposition  means  that  {t,  R)  G  Li  and  (t,  T,\  R)  G  L2  and  implies  that 
(t,  S)  G  Li  II  L2,  which  contradicts  the  conclusion. 

Implementation.  To  use  this  rule  for  deadlock  detection  of  two  components  Li  and  L2  (the 
approach  generalizes  to  any  finite  number  of  components),  we  use  this  iterative  procedure: 

1.  Using  the  first  premise,  construct  a  candidate  Ci  similar  to  Step  1  of  the 
candidate  query  in  AG-NC  (see  Section  6).  Similarly,  using  the  second 
premise,  construct  another  candidate  C2-  Construction  of  Ci  and  C2 
proceeds  exactly  as  in  the  case  of  AG-NC. 

2.  Check  if  W{C{Ci))  ||  W{C{C2))  ^  Lqi^.  This  check  is  done  either  directly 
or  via  a  compositional  language  containment  using  AG-NC.  We  compute 
the  automata  for  W[C[Ci))  and  W[C{C2))  using  the  procedure  described 
in  the  proof  of  Theorem  1.  If  the  check  succeeds,  then  there  is  no  deadlock 
in  Li  II  L2  and  we  exit  successfully.  Otherwise,  we  proceed  to  Step  3. 

3.  From  the  counterexample  obtained  above,  construct  t  G  T,*  and  R  G  T,  such 
that  {t,  R)  G  W{C{Ci))  and  {t,  S  \  i?)  G  W{C{C2)).  Check  if  {t,  R)  G  Li 
and  (f,  T,\  R)  G  L2.  If  both  these  checks  pass,  then  we  have  a 
counterexample  t  to  the  overall  deadlock-detection  problem  and  we 
terminate  unsuccessfully.  Otherwise,  without  loss  of  generality,  suppose 

(t,  R)  0  Ti.  But  then,  from  PROP,  (t,  S  \  i?)  G  W{Li).  Again  from 
PROP,  since  {t,R)  G  VF(£(C'i)),  (t,  S  \  i?)  0  C{Ci)^  which  is  equivalent  to 
a  failed  candidate  query  for  Ci  with  counterexample  (t,  T,\  R).  We  repeat 
from  Step  1  above. 

Note  that  even  though  we  have  presented  AG-Circ  in  the  context  of  only  two  components, 
it  generalizes  to  an  arbitrary,  but  finite,  number  of  components. 
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8  Experimental  Validation 


We  implemented  our  algorithms  in  the  ComFoRT  [Chaki  05b]  reasoning  framework  and 
experimented  with  a  set  of  real-life  examples.  All  our  experiments  were  done  on  a  2.4GHz 
Pentium  4  machine  running  RedHat  Linux  9  and  with  a  time  limit  of  one  hour  and  a  memory 
limit  of  2GB.  Our  results  are  summarized  in  Table  3.  The  MC  benchmarks  are  derived  from 
Micro-G  Version  2.70,  a  lightweight  OS  for  real-time  embedded  applications.  The  IPC 
benchmark  is  based  on  an  interprocess  communication  library  used  by  an  industrial  robot 
controller  software.  The  ide,  syn,  mx  and  tg3  examples  are  based  on  Linux  device  drivers. 
Finally,  DP  is  a  synthetic  benchmark  based  on  the  well-known  dining  philosophers  example. 

For  each  example,  we  obtained  a  set  of  benchmarks  by  increasing  the  number  of  components. 
For  each  such  benchmark,  we  tested  one  version  without  deadlock  and  another  with  an 
artificially  introduced  deadlock.  In  all  cases,  deadlock  was  caused  by  incorrect 
synchronization  between  components — the  only  difference  was  in  the  synchronization 
mechanism.  Specifically,  the  dining  philosophers  synchronized  using  “forks.”  In  all  other 
examples,  synchronization  was  achieved  via  a  shared  “lock.” 

For  each  benchmark,  a  finite  LTS  model  was  constructed  via  a  predicate 
abstraction  [Ghaki  05b]  that  transformed  the  synchronization  behavior  into  appropriate 
actions.  For  example,  in  the  case  of  the  ide  benchmark,  calls  to  the  spin.lock  and 
spin_unlock  functions  were  transformed  into  lock  and  unlock  actions,  respectively.  These 
function  calls  make  sense  because,  for  instance,  multiple  threads  executing  the  driver  for  a 
specific  device  will  acquire  and  release  a  common  lock  specific  to  that  device  by  invoking 
spin_lock  and  spinmnlock  respectively. 

For  each  abstraction,  appropriate  predicates  were  supplied  externally  so  that  the  resulting 
models  would  be  precise  enough  to  display  the  presence  or  absence  of  deadlock.  In  addition, 
care  was  taken  to  ensure  that  the  abstractions  were  sound  with  respect  to  deadlocks,  that  is, 
the  extra  behavior  introduced  did  not  eliminate  any  deadlock  in  the  concrete  system.  Each 
benchmark  was  verified  using  explicit  brute-force  statespace  exploration  (referred  to  in 
Table  3  as  “Plain”),  the  non-circular  AG  rule  (referred  to  as  AG-NC),  and  the  circular  AG 
rule  (referred  to  as  AG-Circ).  When  using  AG-Circ  (i.e.,  checking  if 
W{C{Ci))  jj  W{C{C2))  F  L^ik),  Step  2  was  done  via  compositional  language  containment 
using  AG-NC. 

We  observe  that  the  AG-based  methods  outperform  the  naive  approach  for  most  benchmarks. 
More  importantly,  for  each  benchmark,  the  growth  in  memory  consumption  combined  with 
the  increasing  number  of  components  is  benign  for  both  AG-based  approaches.  This  bounded 
growth  indicates  that  AG  reasoning  is  effective  in  combating  statespace  explosion  even  for 
deadlock  detection.  We  also  note  that  larger  assumptions  (and  hence  time  and  memory)  are 
required  for  detecting  deadlocks  as  opposed  to  detecting  deadlock  freedom.  Among  the 
AG-based  approaches,  AG-Circ  is  generally  faster  than  AG-NC,  but  it  consumed  negligible 
extra  memory  on  a  few  occasions.  In  several  cases,  AG-NC  runs  out  of  time,  while 
AG-Circ  is  able  to  terminate  successfully.  Overall,  whenever  AG-NC  and  AG-Circ  differ 
significantly  in  any  real-life  example,  AG-Circ  is  superior. 
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Figure  3:  Experimental  results.  C  =  #  of  components;  St  =  #  of  states  of  largest  component; 
T  =  time  (seconds);  M  =  memory  (MB);  A  =  #  of  states  of  largest  assumption;  *  =  resource 
exhaustion;  -  =  data  unavailable;  a  =  1247;  (3  =  1708.  Best  figures  are  shown  in  bold. 
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9  Conclusion 


In  this  report,  we  have  extended  the  learning-based  automated  assume-guarantee  paradigm 
to  deadlock  detection.  We  have  defined  a  new  kind  of  automata,  which  are  similar  to  finite 
automata  but  accept  failures  instead  of  traces.  We  have  also  developed  an  algorithm  called 
that  is  similar  to  L*  and  learns  the  minimal  failure  automata  accepting  an  unknown 
regular  failure  language  using  a  minimally  adequate  teacher.  We  have  shown  how  can  be 
used  for  compositional  deadlock  detection  using  both  circular  and  non-circular 
assume-guarantee  rules.  Finally,  we  have  implemented  our  technique  and  obtained 
encouraging  experimental  results  on  several  nontrivial  benchmarks. 

We  believe  this  work  leaves  several  avenues  open  for  further  investigation.  An  intriguing 
question  concerns  the  relationship  between  learning  and  abstraction  refinement.  While  both 
approaches  construct  approximations  iteratively,  abstraction  refinement  always  strengthens 
its  approximation.  On  the  other  hand,  learning  may  either  strengthen  or  weaken  its 
assumption  depending  on  the  counterexample  to  the  candidate  query  that  the  MAT  returns. 
Another  issue  is  the  possibility  of  increasing  the  efficiency  of  our  approach  via  symbolic 
implementations.  Finally,  the  question  of  extending  the  automated  assume-guarantee  via 
learning  paradigm  to  yet  other  types  of  conformances  is  not  yet  settled.  For  instance,  it  is 
unclear  how  you  may  use  this  paradigm  to  carry  out  model  checking  against  specifications 
written  in  a  temporal  logic,  such  as  the  ^-calculus,  CTL  or  LTL. 
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